80738163270632 is the blog of Hernán Morales Durand

Menu

jueves, 27 de marzo de 2014

Introduction

I have implemented a package called "Application Security" to provide a domain-independent security model which you can easily instantiate in your applications. It is based in patterns from the Application Security Pattern System introduced by J. Yoder and J. Barcalow in a PLoP (Pattern Language of Programs - a workshop for pattern researchers) paper in 1997, which contains about 290 citations as of today.

Disclaimer

Although acceptable for my security requirements, the software security world is a neverending story. To recognize the whole dimension of this territory, I have collected a short summary of the most cited security pattern literature:

J. Yoder and J. Barcalow: One of the first security pattern languages, 7 patterns.

The Configuration automatically loads the stable versions for FFI and Nacl.

Passwords

The Application Security package contains two hasher adapters, one is the hashing provided by Grease (a package for cross-smalltalk compatibility including convenience methods), this is a SHA-1 (160-bit, 20-byte hash value) and another one which is enabled by default using Nacl cryptographic library, which uses SHA-512 through the libsodium binding for Pharo. And of course, to prevent rainbow table attacks in case of a breach, all passwords are salted.

User model

Contains following main classes:

Registered user: A valid and registered user in the system.

Candidate user: Users currently not validated or confirmed, this is for example a user which is registering. It handles regitration identifier and expired regitrations.

User group: To group users sharing common property

User registration: Maintains candidate registration information such as URL link's unique identifier for verification (during a period of time) and the candidate object.

Network

Application Security also contains Network security utilities to do access control based on IP addresses:

ASIPAddress : Represents an IP address.

ASIPAddressClass : For representing IPv4 address classes. This class is not intended to be used for doing subnetting (scaling, allocation, etc.).

ASIPAddressList : Access control list used for representing classful network architecture for IPv4 addresses. This class is not intended to be used for doing subnetting (scaling, allocation, etc.)

An IPAddress is a helper class to support querying IP address range (ASIPAddress). Follow some examples to set up useful list for filtering machines based on their IP addresses:

Repository

The repository is responsible for the persistency of secured objects. This covers queries as well as set modifications (insert/delete).
Currently it is based in the FUEL serialization package, but there is plan to make it adatable to other serializers.